Java 中的会话劫持预防 (Struts 2.0) | 遇到错误

Question

I'm developing an application in Java which seems to have a session hijacking vulnerability.

In order to prevent this, the recommendation is to change the JSESSIONID for a user after log in

My application is based on Struts 2.0 and Tomcat 7 and I have implemented a code to change the JSESSIONID after the user logs in.

However I am facing the following problem while running the code.

java.lang.IllegalStateException: setAttribute: Session already invalidated
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1289)
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1254)
at org.apache.catalina.session.StandardSessionFacade.setAttribute          (StandardSessionFacade.java:130)
at org.apache.struts2.dispatcher.SessionMap.put(SessionMap.java:181)

Here is the code that I wrote :

HttpSession httpSession = ServletActionContext.getRequest().getSession();
HashMap<String, Object> attributes = new HashMap<String, Object>(); 
Enumeration<String> enames = httpSession.getAttributeNames();
while ( enames.hasMoreElements() )
{
String name = enames.nextElement();   
if ( !name.equals( "JSESSIONID" ) )
{ 
attributes.put( name, httpSession .getAttribute( name ) );
}      
}   
httpSession.invalidate();       
httpSession = request.getSession(true);                     
for ( Map.Entry<String, Object> et : attributes.entrySet() )
{
userInfoMap.put( et.getKey(), et.getValue() );
}   
getSession().put("userid",userId);//Setting value to session

Answer 1

Usually when you invalidate the session you should redirect to some action, so the new session map will injected to it if the action implement SessionAware .

But in the code you posted you are trying to reuse the session map while it contains an old session.